Last week, I got the opportunity to hang out with a few hundred of my closest vulnerability-handling friends at VulnCon 2025, held in smoky, barbecue-infused Raleigh, North Carolina.
VulnCon is one of the most surprisingly worthwhile security conferences in the U.S., and it’s only in its second year. Organized by a joint effort of the CVE Program and FIRST, VulnCon attracts about 600 people from this weird little corner of cybersecurity: a niche of a niche of a sector of the industry. It’s all people who care about identifying, describing, cataloging, archiving, and predicting software vulnerabilities. Occasionally, we’re interested in actually fixing or preventing them. But the fact is, we’re still in a period of human history where information systems are going to have security bugs — and kind of a lot of them — so keeping them straight seems pretty important.
Hyperfocused Content #
I love these goofy nerds. We’ve all somehow managed to find ourselves in this oftentimes uncomfortable space of figuring out how to communicate effectively about technical vulnerabilities to “stakeholders,” which range from IT ops professionals to government regulators. Which vulnerabilities are important enough to drop what you’re doing and address right now? And more importantly, how can you tell?
Of course, we deal with the kinds of activities and problem spaces seen at larger, more general conferences. Many who went to VulnCon last week will be at BSidesSF and RSAC next week. Even so, there’s something magical that happens when you spend a few days with folks zeroed in on this very specific problem space.
There were nearly a hundred distinct talk tracks, hyperfocused on vulnerability identification and management. Titles ranged from the generally accessible (“How to Think About Vulnerabilities and Artificial Intelligence”), to the hands-on technical (“Using Jupyter Notebooks to Explore Public CVE Data”), to the almost comically esoteric (“EU CRA TL;DR for PSIRTs: What Product Security Needs To Do To Be Compliant with the CRA”). Like I said, VulnCon caters to a very specific sub-sub-subset of cybersecurity weirdos.
As you might suspect, this kind of problem space gets many of us out of bed in the morning at runZero, where we know it’s not just the named, CVE-identified vulnerabilities that bedevil our customers’ networks. We tackle those even-harder-to-find-and-describe misconfigurations, exposures, and goof-em-ups that present opportunities for attacker hijinks.
These aren’t the kinds of issues that show up neatly labeled in a vulnerability feed. They’re the edge cases: insecure-by-default services, forgotten development environments, shadow assets that never got inventoried. Exposure management means shining a light on all of it. And while that’s what runZero is built for, events like VulnCon give us a peek into how other teams are tackling these murky problems. We bring those insights back with us and apply them to our customers’ environments — helping them stay ahead of the chaos.
The Return of Chat #
We had a fun innovation for this year’s VulnCon: every one of those nearly hundred sessions had its own dedicated Discord chatroom, where people could not only drop their “more of a comment than a question” thoughts, but have actual conversations before and after the session, sometimes lasting multiple days. This chat functionality served a couple of purposes. It allowed the audience to stay focused on the speaker while also giving an outlet to other experts in the room who probably do actually know a thing or two the speaker didn’t cover.
The chat also made this in-person event much more accessible for those who couldn’t make the travel to Raleigh work. So, if you’re involved in organizing technical conferences, take note: your community might benefit from a parallel text chat.
Hallway Con #
For me, the most valuable part of attending in-person technical conferences is all the stuff that happens in the in-between spaces. For example, I got to spend a couple of hours with Jay Jacobs, a co-chair of the EPSS SIG, which was insanely valuable to me. There are features and effects of the Exploit Prediction Scoring System that kind of mystified me, and what we discussed will absolutely inform my upcoming talk at NorthSec in Montréal on Vulnerability Haruspicy.
I also got a chance to staff the CVE Program booth (since I’m on the CVE Board) and had a few really good interactions with people who had questions and concerns about the CVE Program. It was enlightening.
Finally, since it’s jointly organized by FIRST — and FIRST is all about the PSIRTs (Product Security Incident Response Teams) — I met a couple of people who ended up handling some vulnerability reports I was involved with over the last year. That aspect of conferences and symposia is often overlooked and wildly valuable. For those who habitually report vulnerabilities to vendors and producers of software, and those who receive and triage those reports, the relationship can be… adversarial. Creating personal connections goes a long way toward establishing trust and respect between researchers and actual doers.
Next Con! #
So while I got to see friends, consume Carolina barbecue (which, as a Texan, is an exotic departure from my usual fare), and hang out with super smart and fun people, VulnCon has turned out to be one of my most easily justified conferences of the year. It’s small — but not too small — with about 450 in-person participants and another 150 or so online. For comparison, RSAC next week is expected to draw about 45,000 participants, which is just massive.
And while I fully expect to have a good time at BSidesSF and RSAC, I’d be pleasantly surprised if I walked away with the kind of technical enrichment I get from, and can offer to, smaller venues like VulnCon. See you next year!
